[issue3122] hg clone puts user password in .hg/hgrc

Matthew Giannini bugs at mercurial.selenic.com
Tue Nov 22 08:50:11 CST 2011


New submission from Matthew Giannini <mgiannini at tridium.com>:

If you hg clone and give a URL that includes username at password, then 
Mercurial will put the full URL including the password into the resulting 
.hg/hgrc file in the [paths] section for "default".

I think the clone should "scrub" the default repository URL and remove any 
password.  If users want auto-injection of the password they should configure 
[auth] in their user-specific .hgrc files or explicitly put the password into 
the .hg/hgrc file.  But Mercurial should not do this by default.

----------
messages: 18143
nosy: mgiannini
priority: bug
status: unread
title: hg clone puts user password in .hg/hgrc

____________________________________________________
Mercurial issue tracker <bugs at mercurial.selenic.com>
<http://mercurial.selenic.com/bts/issue3122>
____________________________________________________


More information about the Mercurial-devel mailing list